Non-Standard Port

Information

• Name: Non-Standard Port

• ID: T1571

• Tactics: TA0011

Introduction

Non-standard port usage (MITRE ATT&CK ID: T1571) refers to adversaries communicating over network protocols using ports that are not typically associated with those protocols. Attackers leverage non-standard ports to bypass firewall restrictions, evade detection, and mask malicious network traffic. Because many security controls and monitoring tools rely on standard port assignments to identify suspicious activity, attackers exploit alternate port configurations to remain stealthy and maintain persistent access to compromised systems.

Deep Dive Into Technique

Attackers frequently use non-standard ports for command-and-control (C2) communications, data exfiltration, and lateral movement within compromised networks. Common technical details and mechanisms include:

• Protocol Manipulation: Attackers may use common protocols (HTTP, HTTPS, DNS, FTP, SSH) over unusual ports to evade traditional port-based filtering.

• Port Obfuscation: Malicious actors deliberately select ports commonly allowed through firewalls, such as TCP ports 80, 443, 53, or 8080, to blend malicious traffic with legitimate traffic.

• Encrypted Traffic on Unusual Ports: Attackers may employ encrypted tunnels (e.g., SSH, SSL/TLS) over non-standard ports to conceal command-and-control communication or exfiltration activities from deep packet inspection (DPI) solutions.

• Dynamic Port Allocation: Malware and attacker scripts may dynamically select random or uncommon ports for each connection attempt, complicating detection and monitoring efforts.

• Port Knocking Techniques: Adversaries may implement port knocking or port hopping strategies, sequentially attempting connections to a series of ports to trigger backdoors or evade detection.

Real-world procedures include:

• Malware families such as Cobalt Strike, Metasploit, and Empire Framework frequently allow attackers to customize ports for C2 communication.

• Threat actors configuring SSH tunnels over non-standard ports to maintain persistent remote access.

• Advanced Persistent Threat (APT) groups regularly employing DNS tunneling over port 53 or HTTP/S tunneling over unusual ports to bypass network security controls.

When this Technique is Usually Used

Attackers typically employ non-standard port usage across various stages of cyber-attacks, including:

• Initial Access: Attackers may establish initial footholds by exploiting vulnerabilities or misconfigurations accessible via unusual ports.

• Command and Control (C2): Predominantly used during the C2 phase, attackers communicate with compromised hosts using non-standard ports to evade detection.

• Lateral Movement: Attackers moving laterally within networks may use non-standard ports to bypass internal network segmentation controls and evade monitoring.

• Data Exfiltration: Attackers exfiltrate sensitive data through non-standard ports to avoid detection by data loss prevention (DLP) tools or firewall rules.

• Persistence and Defense Evasion: Attackers maintain persistent access by leveraging non-standard ports to evade traditional monitoring tools, firewall policies, and intrusion detection systems (IDS).

How this Technique is Usually Detected

Detection methods, tools, and indicators of compromise (IoCs) include:

• Network Traffic Analysis: Analyze network traffic flow logs and packet captures to identify protocols communicating over unusual ports.

• Anomaly Detection Tools: Employ network behavior analysis (NBA) tools and intrusion detection/prevention systems (IDS/IPS) to detect deviations from baseline network traffic patterns.

• Deep Packet Inspection (DPI): Use DPI solutions to identify protocol misuse, encrypted tunnels, or suspicious payloads transmitted over non-standard ports.

• Endpoint Detection and Response (EDR): Monitor endpoints for suspicious network connections initiated by unknown processes or applications on uncommon ports.

• SIEM and Log Correlation: Correlate firewall, IDS/IPS, and endpoint logs to identify unusual port usage patterns or repeated connection attempts.

• Threat Intelligence Integration: Integrate threat intelligence feeds to identify known malicious IP addresses and domains associated with non-standard port usage.

Specific Indicators of Compromise (IoCs):

• Repeated communication attempts to external IP addresses or domains over uncommon ports.

• Known malicious IP addresses or domains communicating over unusual ports.

• Unexpected encrypted traffic (e.g., SSH, SSL/TLS) detected on non-standard ports.

• DNS traffic observed on non-standard ports other than UDP/TCP 53.

• HTTP/HTTPS protocol traffic observed on ports other than TCP 80 or 443.

Why it is Important to Detect This Technique

Early detection of non-standard port usage is critical for minimizing the impact of cyber-attacks. Importance and impacts include:

• Evading Traditional Security Controls: Non-standard ports allow attackers to bypass firewalls, intrusion detection systems, and network monitoring tools, enabling prolonged undetected access.

• Data Exfiltration Risks: Attackers can exfiltrate sensitive data undetected, potentially resulting in severe data breaches, regulatory penalties, and reputational damage.

• Persistence and Extended Compromise: Attackers leveraging non-standard ports can maintain persistent access to compromised systems for extended periods, increasing the risk of lateral movement, privilege escalation, and further exploitation.

• Operational Disruption: Undetected malicious activity can disrupt business operations, degrade network performance, and lead to prolonged downtime and recovery efforts.

• Compliance and Regulatory Violations: Failure to detect and remediate non-standard port usage can result in non-compliance with industry regulations (e.g., PCI DSS, HIPAA, GDPR), leading to fines, legal actions, or loss of customer trust.

• Early Warning of Advanced Threats: Detection of non-standard port usage can serve as an early indicator of sophisticated threat actors or APT groups attempting to evade detection, allowing security teams to proactively respond and mitigate threats.

Examples

Real-world examples demonstrating non-standard port usage include:

• APT29 (Cozy Bear):

  • Attack Scenario: Used custom malware to communicate via HTTPS protocol over non-standard port 8443.

  • Tools Used: Custom malware, encrypted C2 channels.

  • Impact: Enabled persistent access, espionage activities, and data exfiltration undetected by traditional security measures.

• FIN7 Cybercrime Group:

  • Attack Scenario: Leveraged Cobalt Strike Beacon configured to communicate over TCP port 8080 or other uncommon ports.

  • Tools Used: Cobalt Strike, PowerShell scripts.

  • Impact: Allowed FIN7 to evade detection, maintain persistent access, and exfiltrate sensitive payment card information.

• Operation Sharpshooter:

  • Attack Scenario: Used HTTP/S traffic over non-standard ports for command-and-control communication.

  • Tools Used: Rising Sun malware, custom backdoors.

  • Impact: Enabled undetected espionage and data exfiltration from targeted organizations across multiple sectors.

• Lazarus Group:

  • Attack Scenario: Employed SSH tunnels and custom malware communicating over TCP ports 8080, 8443, or random high-numbered ports.

  • Tools Used: Custom malware, SSH tunneling techniques.

  • Impact: Facilitated persistent access, lateral movement, and large-scale data exfiltration operations.

• OilRig (APT34):

  • Attack Scenario: Conducted DNS tunneling over non-standard ports to exfiltrate sensitive information.

  • Tools Used: DNS tunneling malware, custom scripts.

  • Impact: Allowed covert data exfiltration, espionage, and persistent access without detection by traditional monitoring tools.